Solved

Remote Access to company mail

Posted on 2004-09-13
11
1,229 Views
Last Modified: 2011-09-20
Hello,

I have a problem.  My company has an internal Exchange 2003 Server, running on Windows 2003 SBS.  This Exchange Server downloads mail from our webhost, and therefore does not directly receive mail for our domain.  All mail forwarded to my email address first goes to our webhost, then our Exchange Server get is from there and distributes it accordingly.

I need to get remote access to my mail by the most secure means possible.  We have a current network administrator that is paranoid about publishing internal resources onto the web, yet we NEED to get our mail remotely.

I have done ALOT of reading on this topic, and have decided to use MS ISA Server and Outlook Web Access (OWA) to facilitate access to the internal mail.  That way, we will be able to log on from anywhere with an internet connection, and view our existing archive of mail.

This poses several problems (and questions) however.

Internet Connection - our internet connection is a home user ADSL type plan, with a dynamic IP address.  The DSL line comes into our building and plugs straight into a 4 port DSL modem/router.  Our server is then run off the router, as well as all our client machines.  We do not have any dedicated hardware firewall devices.  We are solely relying on the NAT firewall that is in our router.  We have no DNS name mapped to any internal resources, our webhost host all mail and web content.

What would be the best way to get remote access to our OWA Mail?  I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully.  Our next step is to SECURELY publish this to make it accessible to the internet.  Can anyone please give me an idea on wha the best way would be to configure ISA Server to allow secure remote access to the webmail?

Thankyou,

Dean.
0
Comment
Question by:aktivemofo
11 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 12041752
Is there some reason why you cannot just pull your mail from the same place the exchange server gets it via some sort of webmail gateway?  

Hosting externally visible internet services on a dynamic IP is ill-advised, although some folks can't seem to live without it - to that end, folks like those at http://www.dyndns.org/ are there to fill the void.  

>I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully

Hmmm - that sounds like something that is unlikely to work outside the LAN - are there any secure webmail clients (ie use https) that you can install on your exchange server?  

Cheers,
-Jon
0
 
LVL 7

Assisted Solution

by:gnegrota
gnegrota earned 100 total points
ID: 12041844
OWA does have the HTTPS access mode, the problem is that this type of connection is unsafe in any case if you are not using a 'real' firewall. The 'best' way is to set a VPN ( con IPSec, for ex.) access in your network and from there to access OWA in HTTPS and firewall all other things . Check your router capabilities about VPN access .
For 'detect' the IP of your connection, use the sug. of The--Captain !
0
 
LVL 5

Assisted Solution

by:ITcrow
ITcrow earned 100 total points
ID: 12041989

Connect using VPN
Outlook Web Access to access emails.

Since your company has dynamic IP address, follow Jon's suggestion and go to
http://www.dyndns.org for a work-around.
0
 
LVL 9

Assisted Solution

by:cooledit
cooledit earned 100 total points
ID: 12042029
hi, there

You mentioned remote clients gets a Dynamic IP from the provider ? right.

If you splitted the network into 3 subnets

1 for the internal users
1 for the Excchange server DMZ zone ( I assume it's already there)
1 for the remote users

Internal ACL's have access to all + Exchange server by new route

Remote Users only to smtp port 25 forward it to the IP of the exchange server.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 100 total points
ID: 12045113
Whatever solution you choose, the more secure you want to make it, the more complex it will probably end up being.

I would prefer a VPN type solution to anything else simply because it would give you the greatest flexibility:

using the VPN approach you could:

set up OWA via VPN.  This would remove the need for SSL encryption
use Outlook as you would in the office just providing the exchange server name
use IMAP and SMTP - although unneccesary if you are VPNing in

Otherwise:

OWA but you would have to protect via SSL and preferably publish using ISA
IMAP over the internet
Outlook via RPC over HTTPS, but this would require a front end Exchange server even if you are using ISAS
0
 

Author Comment

by:aktivemofo
ID: 12049808
Hello,

Thankyou all for your suggestions.

Unfortunately, i could not convince my colleagues to consider a VPN.  It looks like we will have to use ISA Server and publish the resources as needed.

What is the best practice to install an ISA Server?  Does it HAVE to live in the DMZ? And if so, does the ISA Server software protect that actual machine - IE will it act as a desktop firewall for that particular box?  We do not have (and cannot afford) any firewalls.. we pretty much have software only.  If we did resolve to use ISA Server, would the setup be like this:

[INTERNET] --> [ROUTER] --> [ISA SERVER] --> [SWITCH] --> [INTERNAL LAN]

I think that the biggest problem i have is understanding where to put the ISA Server, and how many network cards does it need?  So many of the guides i have read says that you need 2 NICs in the ISA box.. one for internal and one for external?

Once again, any suggestions are welcome.

Thanks in advance.

-DEAN.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12051972
The best practice is
                               _____             _______
---LAN(inside)--------/ ISA /----------| Router |----------->( ISP )
                              ^^^^              =====
                                  |
                                  | [dmz]
                               __|___
                             / Server/
                             ---------

In this case, ISA can be used to isolate the servers ( Web, Mail, etc.) , VPN access inside, firewall and filter .
0
 

Expert Comment

by:nishakash
ID: 12232634
Hi:

I have my Exchange server on the DMZ. When I use outllook 2003 , everything works fine.

BUT when I remove my server from DMZ, then outlook does not work and it gives the error message " Exchange server unavailable".

Please can any one help.  I have ports, 80,110,25,3389, 443 and 445 open already on the router.


Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Secure Connection Failed - Sonicwall FW 1 53
How to make my old USB printer wireless? 71 152
Installation of Nessus Professional 5 80
Viber-Only Restriction 6 23
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now